Citrix Breach: What We Know So Far

Announcing you've been breached by hackers is always an unpleasant experience.

But announcing that news when you are Citrix, a well-known cybersecurity vendor, really hurts.

You've helped so many customers stay secure—so what went wrong at home?

Citrix gets hacked, what we know so far

Citrix Chief Security and Information Officer Stan Black and his team are trying to make sense of that right now. Here is what he has shared so far about the Citrix network breach and what the company knows.

On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cybercriminals gained access to the internal Citrix network.

Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.

Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.

While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.

How did the Citrix breach happen?

Citrix says the FBI has suspicions that the hackers likely used a tactic known as password spraying, which finds and exploits weak passwords.

Once hackers gained a foothold with limited access, Citrix says, they were able to circumvent additional layers of security to move through the network and find their way to the business documents.

Why is the FBI telling a cybersecurity company about a breach?

Some may see it as ironic that Citrix had to be told by the FBI that it had a breach on its hands. However, it may be more common than most in the industry like to admit.

“The FBI as a source of breach notification happens far too often, and it is unfortunate because once the FBI is aware it is usually too late, as exfiltration of information has already occurred," says Chris Morales, Head of Security Aanalytics at Vectra, which applies AI to detect and hunt for cyber attackers.

"While we often point to lack of maturity of security operations as to why a company would miss an attack, it is even more unfortunate when a security vendor is compromised who does have the skills and capabilities to defend against cyber attacks. I think the key telling point here is that breaches can happen to anyone."

Breaches can happen to anyone.

And that's why incident response is such a requested discussed topic among security leaders at SecureWorld cybersecurity conferences in 2019.

Speaking of that, here's what cyber attorney Shawn Tuma told us about the importance of "personality" in incident response: